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DETAILED ACTION 
Response to Arguments 

1 . Applicant's arguments, pertaining to the 103 rejections of the previous action are persuasive. 
Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of 
rejection is made in view of Halligan, US PGP No. 20010044737. 

CLAIMS PRESENTED 

Claims 38-49 are presented. 

CLAIM REJECTIONS 

Claim Rejections - 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

3. Claims 38-49 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Voss, US Patent No. 7552480, and further in view of Halligan, US PGP No. 
20010044737. 

As per claims 38, 44: 

A computer program product for evaluating a security risk of an application, the computer program 
product comprising: 



[see col. 3, lines 15-20, "system for assessing and quantifying the risk exposure of an information 
system or application using a a one-dimensional quantitative risk assessment model.] 
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one or more computer-readable tangible storage devices and program instructions stored on at least one 
of the one or more storage devices, the program instructions comprising; 

program instructions to determine whether employees of two or more customer corporations are 
authorized to concurrently share use of the application; 

[see col. 4, lines 23-32, wherein establishing the numerical value for the threat of attack involves 
establishing the potential for an attack on the information system asset by a threat agent and 
further wherein a threat agent is defined as casual users, kiddy scriptors, hackers, disgruntled 
employees, legitimate consumers, competitors, etc. Examiner understands this to mean that a 
threat value is calculated based on whether the application can be exploited by different users 
which is considered to be analogous to applicant's claim language of being shared by different 
customers.] see also col. 7-8] 



program instructions to determine whether a vulnerability in the application can be exploited by a user 
which has not been authenticated to the application; 

[see col. 4, lines 42-52, wherein establishing a numerical value includes identifying one or more 
unauthorized privileges such as security administrator privileges] see also, col. 7-8] 

program instructions to assign numerical weights to the respective determinations, each of the numerical 
weights corresponding to a significance of the respective determination in quantifying the security risk; 
program instructions to combine the numerical weights to quantify the security risk; and 

[see col. 4, lines 53-60, wherein the security risk level for the information asset is calculated as a 
product of the numerical value of the threat of attack times the numerical value for the access 
component of the vulnerability times the numerical value for the privilege component of the 
vulnerability to attack on the information system asset] 



The Voss reference has been discussed above. While Voss teaches quantifying the security risks, Voss 
is mute in teaching comparing the quantified security risks with a monetary value of a benefit of the 
application. For this limitation, examiner relies on the Halligan reference. Halligan teaches a method 
wherein trade secrets are analyzed in order to calculate their value to the company. An analysis of the 
trade secret and its economic benefit factor are described in paragraphs 119-121. While the Halligan 
reference does not deal with security risks related to the adoption of an application by a company, 
Halligan does analyze the risks and benefits associated with sharing trade secrets. Examiner views that 
this is in a similar line as analyzing the risks and benefits of using an application which will allow 
customers to share access to private information. It would have been obvious to one of ordinary skill in 
the art to modify the Voss reference to compare the risk associated with the application with the economic 
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benefits that are associated with using the application. Doing so would let the company using the 
application know whether or not it is worthwhile to use the application even though possible risks exist. 



As per claim 39, 45: 

The computer program product of claim 38 further comprising: 

program instructions, stored on at least one of the one or more storage devices, to determine whether 

there is a requirement for authentication for user access to the application; and wherein the program 

instructions to assign numerical weights to the respective determinations assign a numerical weight to the 

determination whether there is a requirement for authentication for user access to the application; and 

the program instructions to combine the numerical weights to quantify the security risk also use the 

numerical weight for the determinations whether there is a requirement for authentication for user access 

to the application, in quantifying the security risk. 

[see col. 8, lines 1-14, wherein Voss teaches that a normal user who exploits a vulnerability 
might have additional control to see and/or delete other person's data that he or she would not 
otherwise have] 

As per claim 40, 46: 

The computer program product of claim 38 further comprising: 

program instructions, stored on at least one of the one or more storage devices, to determine whether a 
third party can obtain unauthorized administrative authority to data maintained by the application; and 
program instructions, stored on at least one of the one or more storage devices, to determine whether a 
third party can obtain unauthorized read and/or write access to data maintained by the application; and 
wherein the program instructions to assign numerical weights to the respective determinations assign a 
numerical weight to the determination whether a third party can have unauthorized administrative 
authority to data maintained by said application, and assign a numerical weight to the determination 
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whether a third party can have unauthorized read and/or write access to data maintained by said 
application; and the program instructions to combine the numerical weights to quantify the security risk 
also use the numerical weight for the determinations whether a third party can have unauthorized 
administrative authority to data maintained by said application and the numerical weight for the 
determination whether a third party can have unauthorized read and/or write access to the data, in 
quantifying the security risk. 

[see col. 4, lines 42-52, wherein establishing a numerical value includes identifying one or more 
unauthorized privileges such as super user read privileges.] see also col. 7-8] 

As per claim 41, 47: 

The computer program product of claim 38 further comprising: 

program instructions, stored on at least one of the one or more storage devices, to determine whether 
data accessible by a user via the application is confidential; the program instructions to assign numerical 
weights to the respective determinations assign a numerical weight to the determination whether data 
accessible by a user via the application is confidential; and the program instructions to combine the 
numerical weights to quantify the security risk also use the numerical weight for the determinations 
whether data accessible by a user via the application is confidential. 

[see col. 1 1, unauthorized access to audit logs wherein audit logs are viewed as confidential data] 

As per claim 42-43, 48-49: 

The computer program product of claim 38 wherein the monetary value of the benefit of the application is 
a cost savings/revenue gained due to use of the application. 
[see Halligan, paragraphs 120-121] 
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Conclusion 

4. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office 
action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of 
the extension of time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 
the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date 
of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
shortened statutory period, then the shortened statutory period will expire on the date the advisory action 
is mailed, and any extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the date of this final action. 

3. Any response to this Office Action should be faxed to (571 ) 273-8300 or mailed to: 

Commissioner for Patents 

P.O. Box 1450 
Alexandria, VA 22313-1450 

Hand-delivered responses should be brought to 

Customer Service Window 
Randolph Building 
401 Dulaney Street 
Alexandria, VA 22314 

4. Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to Daniel L. Hoang whose telephone number is 571-270-1019. The examiner can normally 
be reached on Monday - Thursday, 8:00 a.m. - 5:00 p.m., EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Nasser Moazzami can be reached at (571) 272-4195. The fax phone number for the organization where 
this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained 
from either Private PAIR or Public PAIR. Status information for unpublished applications is available 
through Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the 
Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



/Daniel L. Hoang/ 
Examiner, Art Unit 2436 



/Nasser Moazzami/ 

Supervisory Patent Examiner, Art Unit 2436 



